Noticing some Windows Servers getting updates online

Question

I've been noticing that a few of the Windows Servers are getting their Windows Update online along with Configuration Manager. After some investigations, I found that those servers that got their Windows Updates online and rebooted outside of their maintenance window. And those servers did not have a GPO policy - Computer Configuration\Administrative Templates\Windows Components\Windows Updates\Specify intranet Microsoft update service location enabled (GPO Name: Local Group Policy) and set for the SCCM server.

From my understanding, I do NOT need to create any GPO and specify the intranet address like using WSUS. And this is set by the Configuration Manager client. I'm still a little unclear as how this is done. But, I believe it's done through the C:\Windows\System32\GroupPolicy\Machine\Registry.pol. Correct me if I'm wrong.

If it is the Registry.pol file, what's preventing it from applying to the few servers? If not the registry.pol file, what is creating the policy that tell the client to look to the sccm server intranet and prevent it from going out online?

Also, just to get a clear understanding, and I've looked online:
What is the significance of smscg.ini?
I know that we need to remove if we're trying to re-install the client from a clone for example or trying to re-install the client

What is the Registry.pol and how does it affect the client policy?

Answer 1

Hi, @Cody

Double make sure the SUP has assigned to the default boundaries group.

Then try the steps to see if it help:
Delete the registry value:
Computer\Hkey_local_machine\Software\Policies\Microsoft\Windows\Windowsupdate\AU

Run the Software scan through configuration manager Applet in control panel then check ScanAgent.log.

Answer 2

Are you using gpo to provide the location of update server or client settings? If you are managing the devices for security updates using configmgr then just use client settings. Don't use gpo in this case or else this will result in all kind of problems and conflict.

Answer 3

Hi, @Cody
Thank you for posting in Microsoft Q&A forum.

I do NOT need to create any GPO and specify the intranet address like using WSUS.

Yes, we do not need to configure any GPO manually.

You may check wuahandler.log and scanagent.log for more details, and check if your boundary and boundary group are configured correctly?
Someone met the same issue and the reason is the default boundary group didn't have any reference server in it.

For your reference:
https://learn.microsoft.com/en-us/answers/questions/125580/sccm-client-install-and-local-group-policy-update.html

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

---

Answer 4

Thanks for replying RahulJindal-2267, AllenLiu-MSFT

@AllenLiu-MSFT ,
I would say yes that the boundary and boundary group are configured correctly since I have multiple Windows versions over servers on the same boundary and boundary group that are not have any issues. But, when I ahead and verified confirmed that they are configured correctly.

I did check the ScanAgent.log on a couple of the clients and found that it did have a log stating "Sources are not current" (per link you provided). What the Heck - shouldn't happened!

Dug deeper into the network and found that the servers were configured with multiple (NICs), 1 with actual IP, subnet and gateway and 2nd configured for loop back with ip, subnet and no gateway. Both IP addresses for the 1st and 2nd NICs are on the same subnet (boundary and boundary group). Could this be the reason? If so, how is this normally handled?

Answer 5

What do you see in wuahandler.log?